Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
Malware

LogMeIn Resolve

LogMeIn Resolve is a legitimate remote monitoring and management (RMM) / remote access tool that has been abused by threat actors as an initial-access and persistence mechanism. Reported campaigns distributed LogMeIn Resolve from malicious download pages impersonating legitimate software and brands including Notepad++, 7-zip, Telegram, ChatGPT, and OpenAI. In these cases, installation registered the victim host with LogMeIn infrastructure, enabling attacker remote control; attackers then used it to execute PowerShell commands and install the PatoRAT backdoor. Separate phishing campaigns also used fake party invites to trick users into installing LogMeIn Resolve.

Since at least January 2025, LogMeIn Resolve has also been used by a cybercriminal cluster targeting trucking, freight, and logistics organizations as part of cyber-enabled cargo theft operations. Proofpoint reported the use of LogMeIn Resolve alongside other RMM tools including ScreenConnect, SimpleHelp, PDQ Connect, Fleetdeck, N-able, and Naverisk. Delivery methods included compromised load boards, email thread hijacking, and direct phishing campaigns with malicious URLs leading to .exe or .msi installers. After access was established, attackers used RMM tooling for system reconnaissance, credential harvesting, persistent control, and operational disruption, including blocking dispatchers, deleting bookings, and facilitating shipment hijacking. The activity has been associated with organized crime-linked cargo theft schemes primarily affecting food and beverage shipments.

The content characterizes LogMeIn Resolve abuse as part of a broader trend in which legitimate signed RMM software is used to evade traditional antivirus detection. AhnLab EDR detection noted in the reporting is Execution/EDR.LogMeIn.M12839.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
MITRE ATT&CK

Techniques & procedures

9 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

3 techniques
T1078Valid AccountsEvidence1

Adversaries frequently sign up for a free trial of a legitimate service (like LogMeIn Resolve or Syncro) using a throwaway email.

T1566PhishingEvidence2

Third, they launch direct email campaigns against larger entities... In each case, emails contain malicious links that lead to executable files (.exe or .msi files), which, once clicked, silently install a remote monitoring and management (RMM) tool.

T1566.002Spearphishing LinkEvidence2

Many emails were crafted to resemble Punchbowl event invitations, with subject lines like ‘SPECIAL INVITATION.’ ... The emails contained links to binary files hosted on attacker-controlled distribution sites.

Execution

1 technique
T1204.002Malicious FileEvidence2

Once the user executed the downloaded binary, the attacker gained unattended remote access to the device via the LogMeIn Resolve platform.

Persistence

2 techniques
T1078Valid AccountsEvidence1

Adversaries frequently sign up for a free trial of a legitimate service (like LogMeIn Resolve or Syncro) using a throwaway email.

T1543.003Windows ServiceEvidence1

The installed agent wrote a configuration file to disk with a hard-coded relay domain controlled by the attacker and registered a Windows service using a unique ID tied to that specific configuration.

Privilege Escalation

2 techniques
T1078Valid AccountsEvidence1

Adversaries frequently sign up for a free trial of a legitimate service (like LogMeIn Resolve or Syncro) using a throwaway email.

T1543.003Windows ServiceEvidence1

The installed agent wrote a configuration file to disk with a hard-coded relay domain controlled by the attacker and registered a Windows service using a unique ID tied to that specific configuration.

Stealth

2 techniques
T1036MasqueradingEvidence2

The malicious installer files carried names carefully designed to appear routine, such as Invitation.exe, ContractAgreementToSign.exe, and statmtsPDF10.25.exe.

T1078Valid AccountsEvidence1

Adversaries frequently sign up for a free trial of a legitimate service (like LogMeIn Resolve or Syncro) using a throwaway email.

Lateral Movement

1 technique
T1021Remote ServicesEvidence1

Once a victim executed the downloaded file, the attacker gained unattended remote access through the LogMeIn Resolve platform.

Command and Control

2 techniques
T1105Ingress Tool TransferEvidence2

One of the most striking trends in recent campaigns has been the use of RMM tools as loaders for other RMM tools. Adversaries frequently sign up for a free trial of a legitimate service (like LogMeIn Resolve or Syncro) using a throwaway email. They then use that first tool to push a second, more permanent remote access tool—usually a cracked version of NetSupport Manager or a specially configured ScreenConnect instance.

T1219Remote Access ToolsEvidence6

These distribution sites hosted legitimate LogMeIn Resolve binaries, preconfigured to register the targeted device to an attacker-owned account.

ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app
ahnlab asec blogNews
Jan 22, 2026
Detection of Recent RMM Distribution Cases Using AhnLab EDR - ASEC

Legitimate RMM tool abused as an initial access/remote control mechanism; attackers trick users into installing it via trojanized download pages and then use it to run commands and deploy additional malware (e.g., PatoRAT).

Read more
knowbe4 blogNews
Dec 9, 2025
CyberheistNews Vol 15 #49 Ghost in the Machine: How a Multi-Stage Phishing Attack Evades M365 Security

Legitimate RMM tool abused by attackers to gain and maintain remote access to compromised systems, often as part of phishing campaigns.

Read more
securityaffairsNews
Nov 4, 2025
Crooks exploit RMM software to hijack trucking firms and steal cargo

LogMeIn Resolve is a legitimate RMM tool leveraged by attackers to maintain unauthorized remote access to victim systems.

Read more
proofpoint threat insight blogNews
Nov 3, 2025
Remote access, real cargo: cybercriminals targeting trucking and logistics

Legitimate RMM tool abused by attackers to remotely control victim systems, used as part of multi-stage attack chains targeting logistics and trucking companies.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping9

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.